---
title: Weave Policy Set
hide_title: true
---

import TierLabel from "../_components/TierLabel";

# PolicySet <TierLabel tiers="Enterprise" />

This is an optional resource. It is used to select group of policies to work in specific modes.

In each mode, The agent will list all the PolicySets of this mode and check which policies match any of those policysets, Then validate the resources against them.

If there is no policy set found all policies will work on all modes.

> Note: [Tenant Policies](./policy.mdx#tenant-policy) is always active in the [Admission](#admission) mode, event if it is not selected in the `admission` policysets

**Example**
```yaml
apiVersion: pac.weave.works/v2beta2
kind: PolicySet
metadata:
  name: my-policy-set
spec:
  mode: admission
  filters:
    ids:
      - weave.policies.containers-minimum-replica-count
    categories:
      - security
    severities:
      - high
      - medium
    standards:
      - pci-dss
    tags:
      - tag-1  
```

## Modes

### Audit

This mode performs the audit functionality. It triggers per the specified interval (by default every 24 hour) and then lists all the resources in the cluster which the agent has access to read and validates those resources against the audit policies.

> Works with policies of provider `kubernetes`


### Admission

This contains the admission module that enforces policies. It uses the `controller-runtime` Kubernetes package to register a callback that will be called when the agent receives an admission request. Once called, the agent will validate the received resource against the admission and tenant policies and k8s will use the result of this validation to either allow or reject the creation/update of said resource.

> Works with policies of provider `kubernetes`


### Terraform Admission

This is a webhook used to validate terraform plans. It is mainly used by the [TF-Controller](https://github.com/weaveworks/tf-controller) to enforce policies on terraform plans

> Works with policies of provider `terraform`


## Grouping Policies

Policies can be grouped by their ids, categories, severities, standards and tags

The policy will be matched if any of the filters are matched.


## Migration from v2beta1 to v2beta2

### New fields
- New required field `spec.mode` is added. PolicySets should be updated to set the mode

Previously the agent was configured with which policysets to use in each mode. Now we removed this argument from the agent's configuration and
add the mode to the Policyset itself. 

#### Example of the agent configuration in versions older than v2.0.0

```yaml
# config.yaml
admission:
   enabled: true
   policySet: admission-policy-set
   sinks:
      filesystemSink:
         fileName: admission.txt
```

#### Example of current PolicySet with mode field

```yaml
apiVersion: pac.weave.works/v2beta2
kind: PolicySet
metadata:
  name: admission-policy-set
spec:
  mode: admission
  filters:
    ids:
      - weave.policies.containers-minimum-replica-count
```


### Updated fields
- Field `spec.name` became optional.

### Deprecate fields
- Field `spec.id` is deprecated.
